Vegclass Ransomware

Vegclass Ransomware Description

Type: Ransomware

The Ransomware is a variant of the Ecovector and the Mahasaraswati Ransomware, and an encryption ransomware Trojan that uses email addresses belonging to an India domain, colorful ransom notes with global warming or other related content, and short ransom messages instructing computer users to contact its associated email address. The Ransomware belongs to a growing family of ransomware Trojans known as CryptoEncoder. The Ransomware changes the encrypted files' extensions to the email address the Ransomware and '.xtbl.' Computer users should avoid paying the Ransomware ransom and, instead, remove the Ransomware immediately with the help of a reliable anti-malware program. Unfortunately, the files encrypted by the Ransomware are not decryptable without access to the decryption key, so it will be necessary to restore them from a backup.

How the Ransomware Carries out Its Attack on Your Computer

The Ransomware carries out an attack pattern common among most encryption ransomware threats. In most cases, the Ransomware is delivered through corrupted email attachments. The presence of the Ransomware and its variants was noticed on file sharing networks contained inside popular torrent files. Once the Ransomware has entered a computer, it will carry out the following steps:

  • The Ransomware establishes a connection with its Command and Control server, obtaining configuration data and relaying information about the infected PC.
  • The Ransomware makes changes to the infected computer's settings, making sure that it runs whenever Windows starts up automatically.
  • The Ransomware runs on the victim's computer, searching for certain file types and encrypting them using an advanced encryption algorithm.

When the Ransomware encrypts a file in a directory, it will drop a text or HTML file in that location. The dropped file contains a short sentence instructing the victim to email the con artists responsible for the Ransomware infection. The Ransomware also changes the affected computer's Desktop Image into a ransom message, which is displayed over a background depicting a factory emitting pollution – for some reason, many of the Ransomware's variants contain messages related to global warming awareness. The following is the message contained in these ransom notes:

To decrypt your data write me to []

When communicating with this email address, computer users will receive a response similar to the one displayed below:

Good morning, dear friend!
We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection.
We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk.
All your files are encrypted and can not be accepted back without our professional help.
Obviously vulnerability analysis, troubleshooting, decoding the information and then ensuring safety are not a simple matter.
And so our high-grade and quick service is not free.
Please note that today the price of your files recovery is 3 Bitcoins, but next day it will cost 5 Bitcoins.
You should buy bitcoins here
Read the paragraphs:
1. How to buy Bitcoins?
2. How do I send Bitcoins and how can I pay with Bitcoins after buying them?
The Bitcoin wallet for payment is 1DGMeKSALSkYGkedYDUgcvV8mP77WEGusQ
After the transfer of bitcoins please send email with screenshot of the payment page.
We does not advise you to lose time, because the price will encrese with each passing day.
As proof of our desire and readiness to help you, we can decipher a few of your files for test.
To check this you can upload any encrypted file on web site, size no more than 10 MB (only text file or a photo) and send us a download link.
Certainly after payment we guarantee prompt solution of the problem, decrypt the database to return to its former condition and consultation how to secure the rules of the system safety.
Kind regards

As with most encryption ransomware infections, prevention is the best measure. Computer users should protect their computers with a reliable anti-malware program that is fully up-to-date. The best way to nullify the threat presented by the Ransomware and its variants is to always backup your files on an external device.

Technical Information

Screenshots & Other Imagery

SpyHunter Detects & Remove Vegclass Ransomware

File System Details

Vegclass Ransomware creates the following file(s):
# File Name MD5 Detection Count
1 setap23.exe 65076308420a2ec88b78e3a89363ffbc 58
2 setap_c.exe e24c47ea6734e54abea20f0572e471f1 50
3 Payload222.exe bd3799e4b3b800e69f35983062aecc2f 50
4 Payload.exe 67c18e418a9d5911df5ac6fbae346054 20
5 Payload22.exe 1d080db77da3b953f3ee5b412585800e 7
6 Payload27.exe 441472d28358781aa2c92af4a98082fd 7
7 Payload_c.exe c50af907d224a9fb880a845c7b44e5d9 2
8 Payload (1).exe 6e43a6671c30a5e724f4435df355fdac 1
9 Payload2.exe b36fd1368b77721bd7484dd6d458f736 1
More files

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.